July 28, 2022

Last Updated on January 19, 2024

Probably the most widely applied cybersecurity standard of all time, the US Department of Defense (DoD)’s Cybersecurity Maturity Model Certification is just one of many recent cybersecurity initiatives driven by the US government. A key influence on overall US cyber policy is the Cyberspace Solarium Commission (CSC) report from March 2020, which details 80-plus recommendations on “defending the United States in cyberspace against cyber attacks of significant consequences.”

How does the CSC report and ongoing efforts to operationalize its recommendations impact CMMC? How does the CSC report factor into efforts across “the dot-gov” and its supply chains to protect CUI?

To cover all key aspects of the CSC report, a recent episode of The Virtual CISO podcast features Mark Montgomery, former CSC Executive Director and now Senior Fellow at Foundation for Defense of Democracies. John Verry, Pivot Point Security’s CISO and Managing Partner, hosts the podcast.

The need for assessments

According to Mark, a central concern with CMMC is that it has teeth, in the form of third-party assessments.

“I support what they’re doing with CMMC and I think they’re stepping off in the right direction now,” offers Mark. “I do worry that with so many people, there’s a risk of this defaulting into checklist management, versus having iterative assessments going on.”

“We eventually have to get to where threat hunting is allowed throughout the DIB, and we recommended that in our commission report” adds Mark.

Compliance versus security

John acknowledges that audits by their nature involve comparison to a standard, which invites a compliance mentality versus a security mentality.

“If the standard is good and you actually truly are compliant, you’re probably secure,” John notes. “I think what you’re advocating is more a type of mechanism by which there is an ability to validate—in an unscheduled way—that the security systems are working as intended.”

CUI controls across the dot-gov

Is CMMC/NIST 800-171 the ultimate CUI protection standard for all US government agencies?

“Eventually, the dot-gov (including non-DoD federal agencies) needs to get the right standards for these things,” asserts Mark. “I think they could learn a lot from watching DoD go through these growing pains and then figure out how to bring it over.”

Mark thinks that would be a great job for the National Cyber Director: “He needs to look at it strategically to get the timing right and then work with his deputy, who’s the CISO for the federal government, Chris DeRusha and then Jen Easterly [Director of CISA] and say to the two of them, ‘How do we begin to implement this?’”

What’s next?

To listen to the entire podcast episode with Beltway cyber insider Mark Montgomery, click here.

What should your company be doing to get ready for new US government cyber regulations? This blog post shares key info: 4 Key Responses to New US Government Cybersecurity Regulations

NEW CMMC V2 Certification Guide.